This is pretty simple to do and there are tutorials on it all over the place. The problem is I only do it once in awhile, and forget what I did. Then, I either look up how to do it again, or someone asks me how to do it and I've got to search for a tutorial. So, I decided to put this up, primarily so I won't have to search for it next time.
Say you have a directory that you want to limit only to people who have the password. For example, you have some pictures that you only want your family to see.
We'll start by creating a sub directory under your main apache directory. This directory varies by distribution, you are looking for the DocumentRoot in your httpd.conf. In FreeBSD it defaults to /usr/local/www/apache24/data, in RedHat it's /var/www/html. At any rate, create your new directory under the DocumentRoot. So, if you use Redhat, and stick to their defaults, you'd go to /var/www/html and run mkdir images. (Referring to our earlier example, we'll have an images directory to share photos).
After it's created, cd to images and create a password for the "family" user."
hpasswd -c (full path to images file)/.htpasswd family |
So, on RedHat, if you stick to defaults it would be
htpasswd -c /var/www/images/.htpasswd family |
It will ask for the password and then have you repeat the password. So you will now have a file in /var/www/images called .htpasswd, which will have hashed password for the user family. If you need to add a second user, say friends, you repeat the command but without the -c, which is for create. So
htpasswd /var/www/images/.htpasswd friends |
Now that we have .htpasswd, we'll create an .htaccess file. First, be sure that there isn't another .htaccess file in the DocumentRoot. If there is a file there, it may affect the one you want to create.
Our aim here is to have it so that when family enters the username and password, they will see a list of the available images. Our .htaccess file will read
AuthUserFile /var/www/images/.htpasswd AuthGroupFile /dev/null AuthName "family" AuthType Basic require valid-user Options +Indexes |
Adjust the path to .htpasswd to match your system. The user "family" doesn't have to be a user on the system, it is an arbitrary name to access the directory. The Options +Indexes is what will produce the list of files once the user has authenticated. If that line is missing, once family logs in, they'll get a 403 Forbidden.
The way around that is to have an index.html file in the images file. The index.html file will be required if you don't have the Options +Indexes line. The index.html file can be blank, though if it is, all the user will see once they log in will be a blank page. The user would be able to do something like go to www/images/image01.jpg if they know the exact URL.
In my case, for my uses, when I've passprotected a directory, I want allowed users to see the files in the directory, so I tend to use the Options +Indexes method.
As said above, the main purpose of this page is to make it so that I don't have to look up how to do this each time. It is hoped that the reader will also find it useful.
(Last updated April, 2026)